- name: Create config directory
  file:
    path: /etc/nebula
    state: directory
    mode: "0700"
  become: true

- name: Install binaries
  unarchive:
    src: https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz
    dest: /usr/bin
    remote_src: true
    mode: "0755"
  become: true
  notify: restart nebula

- name: Install config
  template:
    src: files/nebula.yml
    dest: /etc/nebula/config.yml
    mode: "0600"
  become: true
  notify: restart nebula

- name: Install CA certificate
  template:
    src: files/ca.crt
    dest: /etc/nebula/ca.crt
    mode: "0600"
  become: true
  notify: restart nebula

- name: Install client certificates
  template:
    src: files/certs/{{ item }}
    dest: /etc/nebula/{{ item }}
    mode: "0600"
  loop:
    - "{{ ansible_hostname }}.key"
    - "{{ ansible_hostname }}.crt"
  become: true
  notify: restart nebula

- name: Install service
  get_url:
    url: https://raw.githubusercontent.com/slackhq/nebula/v{{ nebula_version }}/dist/arch/nebula.service
    dest: /usr/lib/systemd/system/nebula.service
    mode: "0644"
  become: true

- name: Enable service
  service:
    name: nebula
    enabled: true
  become: true

- name: Enable unsafe routing
  iptables:
    table: nat
    chain: POSTROUTING
    out_interface: ens18
    source: "{{ nebula.cidr }}"
    jump: MASQUERADE
  notify: persist iptables
  become: true
  when: ansible_hostname == "ingress"